CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



New Variant of Gustuff Android Banking Trojan Emerges

Recent Gustuff Android banking Trojan campaigns featured an updated malware version, Cisco Talos security researchers report.

Recent Gustuff Android banking Trojan campaigns featured an updated malware version, Cisco Talos security researchers report.

Soon after the malware was detailed earlier this year, its operators changed distribution hosts and then moved to disable the command and control (C&C) infrastructure, but continued to control the malware via a secondary administration channel based on SMS.

Gustuff now has a lower static footprint, because it no longer contains hardcoded package names, and allows operators to execute scripts using internal commands — it relies on JavaScript for that — which is a novelty in the Android malware space.

Initially, Gustuff was based on the Marcher banking Trojan, but the new variant has lost some of those similarities, the security researchers say.

The malware continues to use malicious SMS messages for infection and mainly targets users in Australia, meaning that token-based two-factor authentication and security awareness remain the best defense against it.

The new campaign was observed at the beginning of October, with the updated malware variant continuing to leverage targets of little interest to send propagation SMS messages — each target sends around 300 SMS messages per hour.

Based on the number of times the malware-hosting domains were accessed, the propagation method doesn’t appear to be effective, Talos says. The attacks mainly target Australian banks and digital currency wallets.

Gustuff now supports the dynamic loading of WebViews, meaning that it can receive a command to create a WebView targeting a specific domain (the injection is downloaded from a remote server).

Advertisement. Scroll to continue reading.

The researchers observed a command from the C&C to target an Australian Government Portal hosting several public services, including taxes and social security, with the command issued before the local injections were loaded from the remote server.

“This represents a change for the actor, who now appears to be targeting credentials used on the official Australian government’s web portal,” Talos notes.

Changes in the malware’s behavior include the state persistency across installations, achieved via a file created on external storage. Gustuff also pings the C&C at a predetermined interval to receive an OK message or a command to execute.

The list of targeted applications is provided during the activation cycle. The list of anti-virus/anti-malware software that the Trojan attempts to block is loaded in the same manner.

“During the activation cycle, the malware now asks the user to update their credit card information. The difference is that it does not immediately show a panel for the user to provide the information. Instead, it will wait for the user to do it and — leveraging the Android Accessibility API — will harvest it,” Talos explains.

The malware also features a secondary command execution control, with each command featuring a unique ID that the malware uses to report on the execution state.

Gustuff’s interaction with the device was also modified, with commands related to the socks server/proxy, along with code related to operations, removed.

These supposedly allowed the attackers to interactively perform actions on the banking applications, functionality now provided by the command ‘interactive’, which leverages the accessibility API to interact with the UI of the banking software.

Another new command is ‘script’, through which Gustuff starts a WebChromeClient with JavaScript enabled, then adds a JavaScript interface to the WebView to execute methods defined in the malware code.

With the WebView object already having access to the filesystem, this does not represent an additional security risk in this context. However, this does allow the operator to perform scripts and automate tasks.

“Although there are no changes in the way it conducts the campaign, Gustuff still changed the way it uses the malware to perform its fraudulent activities. The main target continues to be banking and cryptocurrency wallets. However, based on the apps list and code changes, it is safe to assume that the actor behind it is looking for other uses of the malware,” Talos concludes.

Related: Android Trojan Targets Banks, Crypto-Currencies, e-Commerce

Related: Mobile Malware and Mobile Attackers are Getting More Sophisticated

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...